Cybersecurity - SecureTheVillage · Cybersecurity Assessment Assessment methodology: • FFIEC has...
Transcript of Cybersecurity - SecureTheVillage · Cybersecurity Assessment Assessment methodology: • FFIEC has...
Cybersecurity
Robert J. Lipot, CRISCSenior IT Examiner
June 2016
1
Discussion Topics
• Cybersecurity Issues
• Executive Order 13636
• States and Federal Regulators Promote Awareness
• Key Areas of Focus
• Cyber Assessment
• InTREx (exam procedures)
•Awareness & Information Activities
Cybersecurity Issues
•Heightened Attacks-many commercial & financial services
•Accessibility of systems via Internet or wireless activity
•More mobile society wanting on-line access 24 x 7 from anywhere
•Global nature of business
Info-Tech Survey
82% of companies surveyed don’t have a formal process for evaluation of disruptive technologies
President’s Executive Order 13636(02/12/2013)
• Executive Order (EO) 13636-Improving Critical Infrastructure Cybersecurity
• The EO has gotten the attention of Congress and regulators regarding ability to protect technology and manage cyber risks
Web 1.0 & 2.0
Web 1.0
• Dominated by published content
• Publicly accessible on-line
Web 2.0- Interactive Internet
• Collaborative environment that facilitates creation and exchange of user-generated content via dynamic channels, including social media
• Platforms include video sharing, search engines marketing and optimization, online newsrooms, mash-ups and viral and word-of-mouth (WOM) marketing
Cybersecurity Awareness- Importance
• Cyber criminals are becoming more “active” towards financial entities and/or its customers
• Break-ins and attempted/actual thefts more prevalent
• Not a matter of “if”, but “when”
• Method(s) of determining awareness and preparedness at our licensees
Finding/Determining/Addressing Key Areas of Focus
• Risk Assessment
• ID/value all enterprise assets/data
•Determine inherent risks-internal/external
• Evaluate controls
•Using CAT/other tools
•Mitigation strategies, as necessary
•DR/BCP-Incident Response
Threat Environment/Key Areas of Focus
•Web Facing Devices and Apps
• Security Monitoring
• Connection Security
•Mobile Devices/IoT
•DLP
•ATMs
• Privileged Accounts
• Patch Management
Issues/Concerns-Detection/Protection
•Common Security Mistakes
•Cybersecurity Assessment Tool (CAT)
•FFIEC Cyber Information
•Cyber Insurance
•Regulator Awareness
•FS-ISAC
Web “Facing” Devices and Applications
Key Hacker targets:
Websites
All Mobile Devices
Online Banking
Mobile Banking
App Stores
Internet of Things (IoT)
Security Monitoring-Internal & External Threats
• Continuous monitoring system and network activity from sensors, devices, tools, etc.:
–Firewalls
–Routers
– IDS/IPS
–Vulnerability Assessments/Pen Testing
–Audit Logs
–Anti-Malware (viruses, spyware, etc.)
Connection Security
Knowledge of logical and physical connections, e.g.:
Core providers
Internet Service Providers
Wireless Networks
Virtual Private Networks
Wire Transfer/ACH Systems
Network/Core Processor Devices
Telecommunications Room
Mobile Devices are Targeted-DLP
BYOD vs. Licensee-owned
Types, e.g.:
Smart/Mobile Phones
Tablets/Notebooks
Laptops
Thumb Drives
Data Permitted
Applications Allowed
Device Security
Where are attacks coming from?
Multitude of Attack VectorsSMS
Wi-Fi
Bluetooth
Infrared
Web Browser
Email Client
Third Party Apps
Operating System Vulnerabilities
Physical Access
Current Mobile Threats: SMS Botnets
• SMS Spam Botnet:– Directs users to download
malware directly on their device1. An SMS is received containing a
URL2. When the users clicks on the
URL, a Trojan is installed on the device with the legitimate application
3. Trojan contacts C&C server to obtain spam message
4. The spam message is sent to the contacts stored in the phone
Current Mobile Threats: Ransomware
• Ransomware:– Malware which
effectively holds a user’s device hostage until a fee is paid
– Can also happen to any computing device
– Banks and businesses have been impacted and it will continue…
Internet of Things
Wearable technology, e.g.:
• Google Glass, Apple Watches, etc.
• Fitbits
• Many others……..
Internet of Things
Many other “things”:
• Cars
• Appliances
• Security cameras/ security alarm sensors
• Printers
• List goes on……..
Internet of ThingsFive Reasons IoT is Different than “Conventional” IT (Drue Reeves)
• IoT is business driven
• The volume, velocity and variety of data
• Combination of “operational tech” and “information tech”
• Unique risks created by end-to-end automation
• Integration, integration, integration
ATMs Aren’t Exempt
Per Krebs on Security
• Bluetooth devices are “planted” in ATMs
• Captures all card and PIN data input
• Can capture Mega Bytes of data
• Crooks use Bluetooth to ex-filtrate captured data
Hacked PC (Krebs on Security)
Hacked Email (Krebs on Security)
Privileged/Admin Access
• “Skeleton Key”- all access key
• Access to key functions such as add, delete, change, etc. employee rights and permissible activities- a key to gaining system control
• Access to key controls such as auditing, logging, etc. that would record a cyber event
Privileged/Admin Access
• Could also permit “root” access which allows them to change operating system controls
• 80% of cyber theft committed w/privileged access-Sony, Target, etc.
Common Security/Cyber Mistakes
• Not a “once and done” activity
• No knowing where the data is at all times
• Forgetting about “all” tech items employed
• Not ensuring security is entity-wide and everyone plays a roll
Common Security/Cyber Mistakes
• Address different “age groups” and cultures
• Security is an afterthought
• Not knowing who is targeting the entity
• Not fully understanding the implications of third-party risks to the licensee
Cybersecurity AssessmentAssessment methodology:
• FFIEC has provided a Cyber Assessment methodology for financial institution use- information at www.FFIEC.gov
• It assists in determining how much cybersecurity effort has been performed by the Licensee
• Based on NIST 800-53 (National Institution for Standards & Technology)
• For 2015/16, examiners are reviewing for Assessment “Baseline” and striving for higher levels
• Alternative methods to CAT that provide the same/similar results are acceptable
• CAT Includes information in previous slides
FFIEC Cybersecurity Assessment Tool (cont.)
• Currently- voluntary
• Licensee awareness-discuss the “Tool”
• Inform management of FFIEC link
• As usual, expect more information- stay tuned………………………
FFIEC- CAT Domains
Highlight- FFIEC’s Cyber Maturity
Risk/Maturity Relationship
Definitions of Maturity Levels
FFIEC Cyber Web Page
IT Exam Procedures- InTREx
• InTREx = Information Technology Risk Examination
• Four main WPs- Audit, Management, Development & Acquisition, and Support & Delivery
• The other WPs- Cybersecurity, EFT, and Information Security Standards (GLBA)
• WPs Includes CAT
IT Exam Procedures- InTREx (cont.)
• Each WP is targeted to provide analysis to assess a URSIT component rating (1-5)
• Other WPs provide supplemental information to assist in the URSIT component and composite ratings
• Like IT-RMP, InTREx results will still weight heavily on the S&S management CAMELS component
IT Exam Procedures- InTREx (cont.)• InTREx is in the “test” phase until
June 2016
• Each state will need to determine/ approve if they will use InTREx or facsimile going forward
• Federal regulators- FRB and FDIC-have already made such determination
• Large banks, depending on state/ federal guidelines, may use the FFIEC WPs from the IT Handbooks
Cyber Risk Insurance• Has been around for 11 years
• Used as a “Transfer Risk” option
• As of Jan 2015, 46 of 50 US states have mandatory data breach notification standards
• Expenses of handling /covering such losses are increasing -may be an option for our Licensees
• Some states are looking at examinations to include cyber insurance, e.g. NY
• Is expected to grow substantially
Cyber Risk Ins. Coverage
• Theft or manipulation of sensitive or private information
• Computer viruses, malware, etc.
• Computer fraud
• Could have a “high” deductible and only a percentage of coverage after that
• May only be obtained from some insurance companies
• Ins. Coverage will require certain conditions
Cyber Insurance Summary
• Not all policies are “created equal”
• Certain cyber risks may be covered, some not
• Licensees need to “shop around” for terms, conditions, coverages, and deductibles
• Costs will vary depending on size and complexity of our Licensees along with items in bullet #2
• Need due diligence in looking for appropriate coverage specific to the Licensee
Regulators Promote Awareness and Information Activities (some examples)
• FFIEC Cybersecurity webinar for Board and senior management and guidance
• FFIEC Cyber awareness (link on main web page)
Regulators Promote Awareness and Information Activities (some examples)
• State Example: Cybersecurity in the Golden State-Kamala Harris Cyber Doc: https://oag.ca.gov/cybersecurity
• CSBS Corporate Account Takeover (CATO) webinar and guidance (on CSBS website)
FS-ISAC• Financial Services-
Information Sharing and Analysis Center
• Provides a wealth of information to Licensees
• FFIEC encourages becoming a member for certain benefits
• Website: https://www.fsisac.com/
Quick Cybersecurity Recap
•Need for management to realize the importance of awareness, preparation, training, and ongoing alertness
• Thus, Cybersecurity efforts should be discussed at key management committees and reported to Board
Cybersecurity Summary
• IT systems need to be updated regularly
• Staff training and vigilance are key components for prevention
• Licensees can’t be caught asleep at the switch!!
References
• www.FFIEC.gov
• www.nist.gov
• www.fsisac.com
• www.whatis.techtarget.com
• www.fdic.gov - RD Memo 2015-11